CVE-2016-5711 Netapp CVE debrief

Who should care

Administrators and security teams responsible for NetApp Virtual Storage Console for VMware vSphere deployments, especially where the console is exposed on management networks or used to administer virtualization infrastructure. Certificate, virtualization, and network teams should also review trust and upgrade status.

Technical summary

The issue is a certificate uniqueness flaw: Virtual Storage Console for VMware vSphere used a non-unique certificate before 6.2.1. According to the CVE description and NVD metadata, this can enable remote man-in-the-middle attacks, with NVD assigning CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Urgent. This is a remotely reachable certificate/trust issue with critical severity and no user interaction required according to NVD scoring.

Recommended defensive actions

• Upgrade NetApp Virtual Storage Console for VMware vSphere to a fixed release at or above 6.2.1, following the vendor advisory.
• Inventory all Virtual Storage Console instances and confirm which versions are in use before remediation.
• Review TLS certificate deployment to ensure each instance uses a unique certificate and that trust chains are as expected.
• Restrict management-plane network exposure where possible until remediation is complete.
• Monitor for unexpected certificate reuse, trust anomalies, or signs of interception on management connections.

Evidence notes

The supplied CVE description states the product used a non-unique certificate before 6.2.1 and that remote attackers could conduct MITM attacks. NVD metadata also lists affected CPE criteria for NetApp Virtual Storage Console for VMware vSphere and assigns a critical CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. One scope detail differs slightly between sources: the description says 'before 6.2.1' while the NVD CPE criteria provided here show vulnerability through 6.2.

Official resources